Hello,

I’m trying to find a way to validate that all of my hosts logs are making it into Helix.

I tried querying with “class=ms_windows_event | groupby rawmsghostname” but I think I’m running into a 50 bucket limit on groupby.

Is there another way to do this, or to raise the limit for a particular search?

Even returning the bucket names rather than the whole response (including the events) would solve the problem.

Thanks for posting this question! Let me reach out to some of our engineers on the Helix team and get you an answer!

One of our architects shared that you can use:

* | groupby rawmsghostname

Hope that helps!

Hello DFWS-DanB

Try the next one after the pipe sign
groupby rawmsghostname 500

where 500 is the designated bucket size. If it not enough, increase it again and again